To configure access for Cyfin to Microsoft 365 Defender you will have to create a new Azure Application registration, this will again return Oauth tokens with access to the Microsoft 365 Defender API
The procedure to create an application is found on the below link:
When giving the application the API permissions described in the documentation (Incident.Read.All) it will only grant access to read Incidents from 365 Defender and nothing else in the Azure Domain.
After the application has been created, it should contain 3 values that you need to apply to the module configuration.
These values are:
- Client ID
- Tenant ID
- Client Secret
In Cyfin go to Data Management -> Setup and select Microsoft Defender
Now input the 3 values gathered from the previous steps